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d Abstract. In recent years, mixed integer linear programming (MILP, 
: in short) is widely used to search differential characteristics and linear 
approximations with high probability and gradually becomes a powerful 
tool of automated cryptanalysis in symmetric ciphers. A key problem in 
the MILP method is how to fully characterize a set S C (0,1)" with 
as few linear integer inequalities L as possible, which is called a full lin- 
^ = ear integer inequality characterization (FLIIC, in short) problem. In this 
C» work we establish a complete theory to solve a best solution of a FLIIC 
i: problem. Specifically, we start from plain sets which can be characterized 
by exactly one linear integer inequality, and give their essential proper- 
ties, including type, sparsity, degeneration, order, minimal and maximal 
element, norm and its bound, etc, and a sufficient and necessary condi- 
Al tion characterizing them. Based on these essential properties, we further 
na provide an algorithm for solving a FLIIC problem with S, which can pro- 
z duce all minimal plain closures (MPC, in short) of S and output a best 
um FLIIC theoretically. Our algorithm is very efficient and practical, which 
i can output the MPCs of S of dimension no more than 18. For example, 
M all MPCs of the AES S-box are got within 32 seconds in our personal 
= workstation. As results, we give the MPCs of many S-boxes used in block 
ciphers of size no more than 9 x 9 and their FLIIC solutions. To the best 
of our knowledge, it is the first time to give their all MPCs, and our all 
FLIIC solutions are the best-known results at present. In particular, our 
FLIIC solutions in the higher dimensional case are far better than the 
previous results, for example, we get a solution of the AES S-box only 

containing 2372 inequalities. 
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1 Introduction 


Mixed integer linear programming (MILP, in short) is an important problem 
in operations research, which can be formally stated as follows: Given A € 


R™*" b € R” and c1,- ,c, € R, find an z € Z^ x R™-* C R” such that the 
linear function c1 £1 4-223 4-: : --- c4z,, is minimized (or maximized) with respect 
to the linear constraints Ax < b, where R and Z are the sets of all real numbers 
and integers respectively. An MILP problem usually consists of three parts: vari- 
ables, an objective function and constraints. There are several solvers to solve 
MILP problems such as Gurobi[Opt20], Cplex Minisat[ES03]. 

Differential analysis and linear analysis are two of the most 
important cryptanalysis in block ciphers, and several useful techniques have been 
developed based on them, such as truncated differential attack [Knu94], related- 
key differential attack [Bih94], impossible differential attack and zero 
correlation attack [BR11]. In recent years, automated search algorithms for dif- 
ferential characteristics and linear approximations have gained considerable at- 
tention. The MILP-based method is the most used one among them, which was 
first introduced by Mouha et al. to search the minimal number of active S-boxes 
in differential analysis and linear analysis [MWGP11]. Later Sun et al. 
described the differential property of an S-box with linear inequalities to search 
(related-key) differential characteristics automatically for bit-oriented block ci- 
phers. Following that, the MILP method got considerable attention and was fur- 
ther applied to other cryptanalysis algorithms. In [FWG*16], Fu et al. searched 
differential and linear characteristics for ARX ciphers. Xiang et al. 
searched integral distinguishers by translating the propagation of division prop- 
erty into an MILP problem. Zero-correlation distinguishers were searched in 
[TSK 16]. And in [ST17], some new impossible differential distinguishers were 
found by MILP techniques. In addition, a new MILP model was developed to 
consider the effect of the ladder switch technique when combining two short dif- 
ferential trails into boomerang or rectangle attacks |CHP* 17]. By modeling the 
division trails with MILP language, the superpoly could be recovered in cube 
attacks ; 


1.1 Related Works 


Mouha et al. first applied the MILP method to automated search 
algorithms for differential cryptanalysis. A key problem of constructing an MILP 
model is to fully characterize a given set S C (0, 11" with linear integer inequal- 
ities. Mouha et al. characterized a specific set for n — 3 with dummy variables. 
Later, researchers focus on characterizing sets for n < 16 without dummy vari- 
ables. Generally speaking, there are two steps to solve this problem: First pro- 
duce abundant high quality linear inequalities L; Second choose as few linear 
inequalities L’ from L as possible and expect that the solution set of them on 
(0, 11^ just covers S. 

In [SHW* 14], Sun et al. computed the H-representation of the convex hull 
of S with a mathematical software SAGE [Dev20]. They first got L based on the 
H-representation and some logic conditions, and then applied a greedy algorithm 
to choose L’. However, their method became impractical when n > 13 due to 
the high time complexity of the H-representation computation. For n < 16, 
Abdelkhalek et al. converted the problem of finding L’ into a problem 


of minimizing the product-of-sum representation of Boolean functions and solved 
it with Quine-McCluskey algorithm or Espresso algorithm [BHMSV84]. 
A disadvantage of their method was that the solution L' they found usually 
contained too many linear inequalities, and another is to not guarantee that the 
number of linear inequalities in L/ is minimal. In response to such a problem, 
Todo and Sasaki [ST17] proposed an MILP model to choose L’ for a given set 
L. Their MILP model could help users obtain the minimal number of linear 
inequalities from L for n < 10. For n > 10, they usually got a better solution 
whose size was relatively small. 

Afterwards, researchers tended to get a better L. In |[LWZZ19|, based on 
the relationship between coefficients of linear inequalities and the corresponding 
points in S, Li et al. proposed a new way to obtain L for S C {0,1}”" from 
a lower dimensional case Stow C {0,1}"~'. This method depended on previous 
methods and was suitable for a bit larger n. Boura et al. further improved 
the results of previous works by means of algebraic and geometrical methods. 
For n < 10, they could get a potentially better L’ from a given set of linear 
inequalities L by adding up some inequalities in L. For larger n, they explored 
a new structure of points in (0, 1)" \ S that could be cut by the same inequality 
and got some better results. 

We notice that Aleksei and Yao [Sun21] also studied properties of 
S that can be characterized by only one linear inequality P] but there are many 
differences in ideas, methods and conclusions from ours, and a detail comparison 
will be provided in subsection [5.3] 


1.2 Our Contributions 


For a given subset S of {0,1}", L is a set of linear integer inequalities such 
that the solution set of L on (0, 1" is S exactly. We call L a full linear integer 
inequality characterization (FLIIC, in short) of S. Denote by |L| the number of 
inequalities in L. Our goal is to find an L such that |Z] is as small as possible. 
Our main contribution is to establish a complete theory of solving a best solution 
of the above problem. 

Firstly, we introduce an undirected graph of S and give a bound of |L| based 
on graph theory, that is, B(G,(S)) < |L] < |S|, where S is the complementary 
set of S in (0, 1)", and B(G,,(S)) is the number of connected branches of Gn (S). 

Secondly, we focus on plain sets, which can be characterized by a single 
linear inequality /, and present their essential properties, including type, sparsity, 
degeneration, order, minimal and maximal element, norm and its bound, etc. 
And then we give a sufficient and necessary condition characterizing a plain set. 
Based on the above knowledge, we further provide an algorithm for solving a 
FLIIC problem with S, which can produce all minimal plain closures (MPC, 


3 Here it should be mentioned that our work was indeed independent with the above 
two works. In Sept 2021, we submitted it to EUROCRYPT 2022 and was rejected. 
Later we added some experimental data on high dimensional S-boxes and impossible 
differentials according to reviewers's comments. 


in short) of S and output a best FLIIC theoretically. Our algorithm is very 
efficient and practical, which can output the MPCs of S of dimension no more 
than 18. For example, all MPCs of the AES S-box are got within 32 seconds in 
our workstation (DELL T640, 2 CPUs, 28 cores, 512G memory). 

Finally, we apply our algorithm to many S-boxes used in block ciphers, and 
the exact number of closures and the computation time are listed in[1] and some 
results and comparisons with previous works are shown in Table [2] To the best 
of our knowledge, it is the first time to give their all MPCs, and our all FLIIC 
solutions are the best-known results at present. 


Table 1. Number of all minimal closures of S-boxes and their computation times 


Sbor Methods #Poss/#Impossi#Minimal Closures! Times 
SKINNY64 | 97/159 704 '« 10-5 s 
RECTANGLE , 97/159 1033 pS lO a 
LBlock SO 97/159 737 « 10 8s 
LBlock S1 97/159 737 EE 
LBlock S2 97/159 737 «10 8s 
PICCOLO 97/159 704 SE 
Serpent S6 97/159 464 zos 
GIFT 99/157 723 « 1078 s 
Present 97/159 464 SETS 
Klein 106/150 370 «1085s 
Prince 106/150 330 |« i979 s 
A De Pride 97/159 694 E 107 s 
FBC 97/159 921 « 10-8 s 
Minalpher 106/150 322 ji RE 
Pyjamask 97/159 642 Zio? g 
Noekeon 103/153 372 « 10-78 s 
Panda 106/150 333 EIOS 
KNOT 97/159 1033 ZO? gm 
Elephant 97/159 631 |« 10-8 s 
SC2000-4  ! 103/153 480 « 10 8s 
SC2000-4 Inv 103/153 480 | ges 
EnocoroS4  ! 103/153 480 « 10-8 s 
[ KECCAK I s1770  ' ~~~ 95079 l- 500s | 
Ascon l 317/707 46765 0.4097 s 
FIDES-5 497/527 2163 0.0029 s 
5 bits SC2000-5  ! 497/527 1790 [grs 
DryGASCON128 317/707 46754 0.435 s 
Shamash 497/527 4637 ! 0.0278 s 
Sycon 317/707 46746 0.433 s 
j APN-6 ~ 3017/2075 -" - - 31975 moa 
6 bits FIDES-6 ' 2017/2079 14359 0.0865 s 
SC2000-6 1954/2142 | 14896 ! 0.0448 s 
l WAGE ~ '- 6361/10023 " ~ ~ 1312603 4m 18's | 
7 bits MISTY , 8129/8255 | 77234 (gs 
Kasumi 8129/8255 77230 1s 
[ AES , 32386/33150 p ~ 609962 || 325 ] 
SMS4 32386/33150 626742 1m13s 
8 bits ZUC S1 32386/33150 619751 51s 
SNOW3G  ! 25862/39674 ! 3955092 145 m 59 s 
Camellia | 32386/33150 | 632121 mas 


1 The time column represents the running time of Algorithm [4] 
? The #Poss (#Imposs) represents the number of the possible patterns(impossible patterns); 
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Table 2. Number of inequalities to model differential transitions for various S-boxes 


LBlock SO 


LBlock S2 


Present 
4 bits unc 
FBC 
Pyjamask 
Panda 


Elephant 


SC2000-4 Inv 


Ascon 
5 bits SC2000-5 


Shamash 


6 bits FIDES-6 


SKINNY 128 
8 bits ZUC S0 


SNOW3G 


9 bits 


DryGASCON256! 


SKINNY64 | 


Serpent S6  , 


N 


N 
lon) 


Tbits — MISTY-7 | 


| 


w 
as 


w 
DES 


N 
= 


N 
N 


j= 
o 


[E 
N 


— 
N 


= 
N 


e 
-1 


= 
© 


(= 
o 


[ov] 
N 


eN 
a 


a 
gd 


ee 
o 


= 
oo 


N 
N] 


Q 
= 


180 162-166 


302 not feasible, 172 


[2n 
a 


[^ 
[^ 


[-^ 
[^ 


[en 
A 


ji 
e 


ji 
Qo 


m= 
[21 


já 
[^ 


N 
© 


a= 
Ny 


ji 
© 


e N 
© aş 


e 
a 


162-165 


! 1661 


11537-2036 


1.3 Organization 


The rest of the paper is organized as follows: Some preliminaries and notations 
are given in Section [2] In Section [3] we discuss a FLIIC from the viewpoint of 
graph theory and give a bound of its characterization cardinality. In Section [4] 
we study some essential properties of plain sets, including type, sparsity, degen- 
eration, order, minimal or maximal elements, norm and its bound, etc. Based 
on these properties, we obtain a sufficient and necessary condition of a plain 
set. In Section [5] to characterize an arbitrary given set S efficiently, we discuss 
the plain closure of S and provide a new algorithm to get all the minimal plain 
closures of S, which can be applied to solve a FLIIC problem with S. Finally, 
in Section [6] the best FLIICs of differential properties of many S-boxes used in 
block ciphers are obtained along with the exact number of their minimal clo- 
sures. Meanwhile, some experiments results of automated cryptanalysis which 
can reflect the improvement of efficiency are provided. 


2 Notations and Preliminaries 


In the section we give a brief overview of some notations and definitions. Table 
[3]lists parts of notations. 


'Table 3. The notations used throughout the paper 


Notation Description 
n A positive integer 
Z2 The set {0,1} 


Z The set of all n-tuples over Zə, i.e., (0,1]* 
IL, The set of all subsets of Z7 
P4 The set of all plain sets in ZZ 
I Norm 
E Absolute value of an integer or cardinality of a set 
|: le Characterization cardinality of a set 
xfi] The i-th bit of x 
wt(x) Hamming weight of x 
€i An n-bit unit whose i-th element is 1 and others are 0 
rey Bitwise XOR between x and y 
d(x, y) Hamming distance between x and y, x,y € Z3 
S A subset of Z3 
S The complementary set of S in Z2 
n—1 
l: SO aja, >b A linear inequality whose coefficients are integers 
i=0 
n—1 
(a0, 01,:** , àn—1, 0) The linear inequality $7 a;z; > b 


i=0 


n—1 
L= (li|l; : SS ai,j2j 2 bi} A set of inequalities whose coefficients are integers 
j=0 
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Here we first introduce the concept of full linear integer inequality charac- 
terization for an arbitrary given set S € IL,. 


Definition 1 (Full Linear Integer Inequality Characterization). Let S € 
IL, and L be a set of linear integer inequalities: 


49,0%o + 9,134 +++ Fdo, 1X1 = bo, 
a1 oo + 41,101 +++ + ai n-1%n-1 2 b1, 
(1) 
A@m—1,000 + Qm 1,121 +`: + üm—1,n—1%n—1 = bm-1- 


L is called a full linear integer inequality characterization (FLIIC, in short) of 
S if the solution set of L on Z is S exactly. We also say L fully characterizes 
S. 


For a given set S € IL,, a natural question is whether its FLIIC exists. Before 
answering this question, we make conventions on the meaning of the symbols | 
and L for convenience. For a given linear inequality 


n—1 
ls 5 A,X; = b, 
i=0 


we will use an (n + 1)-tuple (ao, a1,*:* ,@n—1,6) to represent it. At the same 
time, we still use | to denote its solution set on Z5 without confusion. Thus l 


means the complementary set of | in Z7 when it is viewed as a set, and the 
n—1 n—1 

inequality $5 ajz; < b as an inequality, that is, > (—a,;)a; > —b+ 1. Define the 
i=0 i=0 

norm ||} || of l as below: 


| := maxtJaj], [O],0 < i < n — 1)- 


Similarly, let L = {1;|0 < i € m— 1}, and we have L = (Y! l when L is viewed 
as a set. Particularly, if L has only one inequality l, we use l instead of L. The 
norm || L || of L is defined as below: 


|| Z ||:= max{|| l || | 0<i<m-1}. 
A toy example is given here to illustrate the above definitions. 


Example 1. Let 
S = {000, 100, 101} 


be a subset of Z3. Then the complementary set of S is 
S — (010,001, 110,011, 111]. 
Denote the following inequality set as L: 


To — T1 — T2 2 0, 
—f — T1 + £2 2 —1, 


which contains two inequalities, denoted by lı and l5 respectively. Consider the 
solution sets of 1, ,l2, we have: 


lı = (000, 100, 110, 101} 
and 
lg = (000, 100, 010, 001, 101, 011, 111}. 
Since L = lı N lə = S, thus L is a FLIIC of S with || L ||= 1. 
Next we prove the existence of the FLIIC of S. 


Theorem 1 (Existence of the FLIIC). For an arbitrary given set S € IL,, 
there must exist a FLIIC L of S. 


Proof: If S = Z3, it is easy to check zo > 0 is a FLIIC of S. When S # Z5, 
we have S Z Ø. For z,c € Z2, we have z[i] © cfi] = z[i](1 — cfil) + epi] (1 — x[i]). 


Denote 
n-1 


le: XO [0 — dila; + cfi](1 — z:)] > 1. 


i—0 


Then we have le = (c). Therefore L = {le | c € S) is a FLIIC of S. 

For a given set S € IL,, we know the FLIIC of S always exists. Denote by 
C(S) all FLIICs of S. Obviously, for any L € C(S) and a positive integer k, we 
have kL € C(S), where kL = (kl | le Ly}: 


n—1 n—1 
i=0 i=0 


Thus we have |C(S)| = oo. In order to improve the efficiency of the MILP 
method, we expect that L chosen from C(S) satisfies that both |L| and || L || are 
as small as possible. Therefore we introduce two concepts of the characterization 
cardinality and norm of S. 


Definition 2 (The Characterization Cardinality and Norm of Set). For 
a set S € IL,, its characterization cardinality, denoted by |S|., is defined as the 
minimal cardinality of all FLIICs of S: 


|S|- = min{|L] | L € C(S)} 


and its norm, denoted by ||S||, as the minimal norm of all FLIICs with charac- 
terization |S|. of S: 


| S |= min(]| L ||] |Z] = |S], L € C(S)j. 


'To describe the FLIICs with minimal cardinality and norm, we introduce the 
definition of best FLIIC. 


Definition 3 (Best FLIIC). For S € IL, and L € C(S), we say L is a best 
FLUC of S if |L| = |S|. and || L ||2|| S ||. 
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According to the definition, there might be more than one best FLIICs, while 
they have the same cardinality and norm. 


Example 2. Review Example [1] mentioned above. It is easy to check that S is 
also the solution set of 

l : £o — 241 — T2 > 0, 
ie, L = l = S. Hence |S|e = 1. Further one can verify that | is a best FLIIC of 
5. 


For a random set S € IL,, it is NP-hard to find a best FLIIC of S. In this 
paper our major work is to find a best FLIIC efficiently of S when n is not too 
big. To do it, we first consider the simplest case |S|. = 1, that is, the set can be 
fully characterized by only one linear integer inequality. 


Definition 4 (Plain Set). For S € IL,, we say S is plain if |S|. = 1. 


Denote by P, the set of all plain sets in IL,. Obviously, 2, Z7 € Pn. We say 
€ and Z} are trivial, and $ € P ,\{Ø, Z3} is non-trivial. 


Proposition 1. If S € P,, then S € Ph. 


Proof: Let {1} € C(S). Then {1} € C(S). So S € Pp. 
Below we introduce the concept of shift, which will play an important role 
in our discussion. 


Definition 5 (Shift). For c € Z2, denote 


ceS={cezx|xeES} (2) 
n—1 

and call c S the c-shift of S. Similarly, forl: X aixi > b and c € Z3, denote 
i=0 


n-1 


[5 Sae — xi) + z;i(l1 — c;)| >b (3) 


i=0 
and call l° the c-shift of l. 
Let L be a group of linear inequalities. We denote 
L*—(i*|leL). (4) 
As for the shift, we have the following conclusions. 
Lemma 1. For any S € Pn, {l1} € C(S) and c € Z2, we have {1°} € C(c& S). 


n—1 
Proof: Set l: X aix; 2 b. For c € Z} and z €co S, 
i=0 


xi] e cfi] = clt](1 — z;) + 2; (1 — cfi]) 
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always holds. Thus, for c 6 x € S, we have 


So l° =c@S, that is, {1°} €C(c@ S). 


Theorem 2 (Shift Theorem). For any S € IL,, L € C(S) and c € Z3, we 
have L° € C(c& S). 


Proof: By Lemma[I] we have 


L -()r-(Yeen-eef)ti2ces. 


leL lEL lEL 


The conclusion follows. 


Corollary 1. For any S € Pn and c € Z3, we have c S € Ph. 


Example 3. Take S = {000, 100,101} C Z3, l: £o — 24 — xə > 0 and c = 101. 
By the definition of shift, we have 


c® S = {101, 001, 000} 


and 


i.e., 
l£ : — zo — 24, + 13 > Q. 


It is easy to check that /* fully characterizes c@ S, hence c @ S is also plain. 


3 Graph Structures of Sets 


In the section we will discuss some properties of plain sets from the viewpoint 
of graph theory. For any non-empty S € IL,, we can construct an undirected 
graph G,,(S) as below: 


1. The vertex set is just S; 
2. There is an edge between x and y if and only if d(x,y) = 1 for x,y € S. 


When S = Z2, we rewrite G,(Z2) as Gn simply. For a given set S € Iln, 
finding its FLIIC is equivalent to finding a set of linear inequalities L = {li}i<icm 


such that S= U 1;. We notice that the connectivity of Gn (S) is an important 
1<i<m 

parameter to determine a set L € C(S) and the lower bound of |S|.. Here are 

some definitions and conclusions about the connectivity of G,(S). 


10 
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Definition 6. For x,y € Z3, we say x = po > pı > ::: — pe = y is a path 
linking x and y if Pos pi; a oa Z3 and d(Pi, Pi+1) =1 fori E 0, 1, Ust i. 


Lemma 2. Let S € P, with |S| > 2. Then for two arbitrary distinct vertexes 
x,y € S, there is always a path x = pp > pı > ++: — pi = y, where pi € S for 
ied d os 


n—-1 n 
Proof: Suppose >> aix; > b fully characterizes S. Denote f(x) = Y; aix|[i| for 


i=0 i i=0 
any x € Z5. Let 


W = {i | x[i] A yfi], i =0,1,--- ,n- 1}, 
I={ic W |rzļli] 21,a; < 0 or afi] = 0,a; 2 0) = (ido, , ip}, 
J ={j EW | a[j] = 1,4; > 0 or a[j] = 0,0; < 0} = Uu Jai js}. 


Denote po = x. Construct py € Z2, k = 1,2,--- ,r as follows: 
Pk = Pk-1 È ei, i, € T 
and p.i € Z5, k = 1,2,---,s as follows: 
Pr+k = Prtk—1 ® ej, jk € J. 


Then we have y = pr+s and d(pi,pi41) = 1,1 =0,1,---,s+r—1. 
By the definitions of J and J, we have 


f(r) = ++ > f(p1) = (po) = F(z) 2 b, 
fpi) = f(Prte) 2 +++ = f(Pr+s) = fly) = b. 


Therefore, p; € $,4 =1,2,--- ,r+s-—1. The conclusion follows. 


Proposition 2. For S € P4, G4,(S) and G,(S) are connected. 


Proof: The conclusion follows directly from Lemma D]and Proposition [1] 
For any S € IL,, denote by B(G,(S)) the number of connected branches of 
G4, (S), which gives a lower bound of the characterization cardinality of S. 


Proposition 3. For S € IL,, we have 
B(G4(S)) < [Sle < [S]. (5) 


Proof: By Theorem [1] there exists an L € C(S) such that |L| — |S|, which 
indicates |S|. < |S]. 

Suppose G,,(S) has k distinct connected branches G,,(S1),--- , G4 (Sx). For 
any L € C(S), we have S = Uez l. Note that G,,(1) is connected for any | € L, 
thus there exists 1 < i < k such that | C S;. It implies that L has at least k 
inequalities, that is, B(G,(S)) < |S|.. 

Next we give a common case on the characterization of the exclusive-or op- 
eration. 


11 
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Proposition 4. Let b € Zo and 
Sp = {x € ZZ | x[0] $ z[1] 6--- 9 z[n — 1] = b}. 
Then IS = 27-1, 


Proof: The conclusion follows from |S;| = 2"~* and two arbitrary vertexes in 
Gn(Se) are not connected, that is, B(G,(S;,)) = 2°71. 


Remark 1. The same conclusion is obtained from a different point of view in 


BC20|. 


4 Essential Properties of Plain Sets 


In the section we will further explore some essential properties of plain sets, 
including type, sparsity, degeneration, order, minimal or maximal elements, norm 
and its bound, and so on. Based on these properties, we further propose the 
sufficient and necessary condition for the plain set. 


4.1 Type, Sparsity and Degeneration 
Here we start from the type of a linear inequality l. 
Definition 7 (Type). For a given linear inequality L: 
aozo + à121 + +++ + Gn—1%n-1 = b, 

the type of | is defined as an n-bit string \ € ('—'/ +','0'}", where 

Eu if Qi > 0; 

Ali] =< '— ifai «0; (6) 
‘0! if Qi = 0. 


Obviously, there are 3" possible types of inequalities with n variables. For a 
given set S € IL,, denote 


S; = {x € S|z[i] 20, x e; € S}, 
S; = {z € S|z[i] =1, x6 ei € S}, (7) 
Si = {x € Slade, € S}=S, uS,. 


As for plain sets, the following lemma explores the relationship between the 
sets defined above and signs of coefficients of their FLIICs. 


Lemma 3. Suppose Z3 AS € Pn, {L = (ao, a1,--* ,dn—1,6)} € C(S). Then for 
0 € i € n — 1, the following properties always hold: 


1. S; and S; can not be non-empty at the same time; 


12 


2. If S] #2, then a; >0; 
3. fS; Ø, then ai < 0; 
4. Ifa; — 0, then S; = Ø. 


Proof: We first prove Item 2. Suppose St # Ø, then there exists x € St such 
that x € | and z[i] = 0, meanwhile, x @ e; € l. Hence we have a; + 5; ajz; > b 
ji 

and J ajzj < b, which imply a; > 0. Similarly we can prove Item 3. Note that 
jzi 

at most one of two cases a; > 0 and a; < 0 holds, thus 5; and 5; cannot be 

non-empty at the same time. Finally, when a; — 0, neither of the above situations 

happens, i.e., 5; = Ø = S; , hence S; = St US, =@. 
For S € P,, with S; = Ø for some 0 € i < n — 1, if 


u = (ao, a4, “1 5 Qj—-1, Qi, @i41,°°° TEN: € C(S) 


with a; 4 0, we notice that l’ = (ag,a4,::- ,a; 1,0, a; 411,7: , a5 1, 0) is also a 
FLIIC of S. This is because: if x € S, then x ® ej € S according to E = Ø; if 


z Ge, € S, then x € S according to S; = Ø. In summary, for all x € Z3, x € S 
if and only if x Ge; € S. Therefore we always set a; = 0 when S; = Ø in the rest 
of the paper. So all statements in Lemma [3] turn into sufficient and necessary 
conditions. 


Theorem 3 (Type Theroem). Suppose Z3 Æ S € P, and 
{l = (ao, Q1,°°* ,Qn-1; b)} c C(S) 


such that a; = 0 if S; = Ø for some i’s. Then, for 0 < i X n — 1, the following 
properties always hold: 


1. ST and S; cannot be non-empty at the same time; 


2. E + Ø if and only if a; > 0; 
3. S; Ø, if and only if a; < 0. 
The proof of T heorem [3] is similar to that of Lemma [3] and we do not repeat 
it. By the Type Theorem, we know that for a given plain set S, the type of its 
FLIIC / is uniquely determined by S$ itself. In this case we also call it the type 


of S, denoted by A(S). Below we further introduce the concepts of sparsity and 
degeneration of plain sets. 


Definition 8 (Sparsity). Let S € P, and A = A(S). The sparsity of S, denoted 
by x(S), is defined as the number of zero bits in its type A, i.e., 


x(S) = 4 (i|A[i] = 0,0 € i € n — 1). (8) 


Definition 9 (Degenerate). For a plain set S € Pn, we call S to be degenerate 
if x(S) > 0; otherwise, S is non-degenerate if x(S) = 0. 
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In order to distinguish with the secondary degeneration introduced in Sec- 
tion [5] we call it the first degeneration later. Denote by P5, the set of all non- 
degenerate plain sets, i.e., 


P; = {S € Pnlx(S) = 0j. (9) 


For a degenerate plain set S, suppose x(S) — n' « n and l is a FLIIC of S, 
then l equivalently characterizes a set S’ C ge where S’ can be got by 
removing some bits from all x € S corresponding to a; = 0. Thus we only focus 
on non-degenerate plain sets. 


4.2 Order 


In the section we mainly discuss the order of the plain set S. 

Let S € P, and {l = (ao, a1,--+ , a4 1,0))] € C(S). Notice that there exists a 
natural order among the coefficients a;. In order to characterize such an order, 
we denote 


I:—irzeS|z[i] = 1}, 
T; j := {x Q e; | (x € I5) ^ (2ly] = 0)) 


for 0 <i Z j € n — 1. As for I; j, we have the following conclusion: 


(10) 


Lemma 4. Suppose S € P, and (ag,a1,::: ,@n—1,6) € C(S). Then Tij C Tja 
always holds if a; < aj. Especially, Ti į = I5; holds when a; = aj. 


Proof: Suppose x € T; j, then z[i] = z[j] = 0 and z Ge; € S. Since aj € aj, we 
have 
b Xa M arrik] € aj - V, aka[K]. 
kzij kzij 

Thus xz Ge; € S holds, i.e., z € L5;, which implies T; j C I} i. Suppose a; = aj. 
For any x € Z3 with z[i] = z[j]] = 0, 6 ei € S if and only if Ge; € S. Thus 
do = I. 

For S € P, with I; ; = Ij; for some i and J, if 


{l= (ao, @1,°°° Qi 5 Az, ,An—1,5)} € C(S) 


with a; # aj, we notice that I’ = (ag,a1,::: ,@;,°+* ,@j,°** ,@n—1,6) is also a 
FLIIC of S. This is because: if Ge; € S, then x Ge; € S naturally holds; 
if xe; E€ S, then z € Ij; = Iji, ie, Be; € S. In summary, 7 9e; € S 
if and only if  @e; € S. Therefore we can always set a; = aj. Denote by L 
the set of all linear integer inequalities l : (ao, a1, ++- ,@n—1,6) such that a; = 0 
if l; = Ø for some it’s and a; = aj if Ii; = Ii for some i's and j's. In this 
paper we mainly focus on linear integer inequalities in £ and use them to fully 
characterize a given set S. For any S € IL,, denote 


C*(S) -(Lec(S) |lELAle L}. (11) 
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Theorem 4 (Order Theorem). Suppose S € P* and ((ao,a1,::: ,@n—1,b)} € 
C*(S). Then a; < a; if and only if Tij C Tja- 


Proof: The necessity is directly indicated by Lemma [4] Suppose Ii; C Iji, 
then da € Z3 with z[i] = z[j] = 0 such that x 6 e; € S and x G e; ¢ S. Then we 
have 


ai + 5 ayz[k] < b € aj + 5 ayx|k], 
k#i,j k#i,j 
which implies a; < aj. So the conclusion holds. 
For a given set S € P,, by the Order Theorem, S can derive a bit-level 
position permutation c, where c meets a,(;) < a5(j) when i < j. Thus we can 
assume that there exists a default relationship of order : 


ao Say S++ S an-ı. 
Otherwise, we will act o on S to make it hold. 


Definition 10 (Regular Plain Set). A non-degenerate plain set S is called a 
regular plain set if there exists a 


{(ao, a1, ES jn-1,5)] € C*(S), 


such that 1 < ag < a1 € +++ < ag 4. 


* 


Denote by P7, , the set of all regular plain sets. For any 5 € P}, we can 
always convert it into a regular plain set by the following two operations: 


— Type Shift: Let c € Z7 such that 


where A = A(S). We act a shift c on S and call c the type vector of S. After 
the type shift c, all coefficients of the FLIICs of S’ = c & S are positive. 

— Position Permutation: Let o be a position permutation derived by S”. 
Then all coefficients of the FLIICs of S” = o(S’) satisfy 


1 < ao < a2 < +++ Xa. 


On the contrary, if we have a FLIIC /" of S", we first act the inverse c^! on 


l" to get a FLIIC l’ of S’ and then a type shift c on l’ to get a FLIIC l of S. 
Figure [1] illustrates the above procedure. Therefore we only consider a regular 
plain set S in the rest of the paper. 

Let x € Z3, denote by supp(x) the set of the positions of ones in the binary 
representation of x: 


supp(x) = {i | xli] =1,0<i<n-1}, 


which is called the support set of x. Below we introduce a partial order relation 
among elements in Z5. 
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S c S' o y Oe 


l4 < U [" 


Fig. 1. Diagram of the type shift and the position permutation 


Definition 11 (Weak Order). For x,y € Z2, we say z-y if supp(r) C 
supp(z). 


Definition 12 (Strong Order). For x,y € ZZ, denote 
supp(x) = {i | zli] =1,0 <i <n- 1} = {i1 i2, gets 
supply) = {j | vj] =1,0< j < n= 1) = Dojo deh, 


where s and t are positive integers, ij < ig < ::- < is, ji < j2 <°- € je. We 
say z <y ifs <t andis-k € jy for all0 € k < s—1. Further, we say x < y 
if x 4 y and x £ y. 


Definition 13 (Ordered Set). For any S € IL,, S is called an ordered set if 
for any x € S anda’ € Z3, if x < x', then a! € S. 


'The following proposition explores the relationship between an ordered set 
S and connectivity of the graph G,,(S). 


Proposition 5. Let S € IL, be an ordered set. Then G,(S) is connected. 
Proof: For any given x,y € S, denote 

Jm {i | xfi] =0,0<i< n= 1} = [io, d, sts}; 

J= {j | yli] =0,0<7 <n- 1} = {jo j Jed 


Take po = 2, pk41 = px Ọ ei, (k = 0,1,--- ,5 — 1) and pe 4x41 = Ps+k ® €5, 
(k — 0,1,-- ` ,t— 1). Note that Ps+t — Y and d(Pk, Pk+1) =1 (0 < k <s+t— 1), 
we have 


£ = Po — Pi +++ ps — Ps+1 > tt > Dept = Y, 


which implies that G,,(S) is connected. 

It should be noted that there have been some similar works which consider 
points in Z} from the perspective of order [Sun21]. We find that what 
they discussed was only the inclusion relationship among points in Z2, see Def- 
inition [11] 'They did not consider the relationship among coefficients of the cor- 
responding inequality. For comparison, we call it a weak order and call the cor- 
responding set to be a weakly ordered set. By Theorem [4] for any S € Pn, the 
order among coefficients of the inequalities | € C*(S) is completely determined. 
That is to say, an order we defined always exists for any S € P,. Therefore 
the order we define is more essential and powerful than the weak order. The 
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following proposition shows that a weakly ordered set S can be characterized 
fully by the sets S; (i =0,1,--- ,n—1). Since we do not discuss the weak order 
too much in this paper, its proof is omitted here. 


Proposition 6. Let S € IL,. Then S is a weakly ordered set if and only if 
S; =Ø for alli € (0,--- ,n — 1). 


i 


4.3 Good Set 


Finally we introduce the concept of good set, which can fully characterize a plain 
set. 


Definition 14. For z,y, z',y' € Z3, we say x+a’ = y+y' if x[i] + z^ [i] = yli] + 
y'li] holds for i =0,1,---,n—1, where + means the common integer addition. 


This definition can be easily generalized to the form of sums of n terms. 


Definition 15 (Good Set). Let S € IL,. S is good if it meets the following 
two conditions: 


1. Order Condition: S is an ordered set; 
2. Consistent Condition: There do not exist 2k elements ©o,L1,°** ,Tk—1€ 
S and yo, 41,°** > Yk-1 € S such that xgd-z4d- xy 1 = yod-yi- yia 


Theorem 5 (Main Theorem). 5 € P7, if and only if S is good. 


Proof: The necessity is trivial since for any 2k elements z9,21,::: ,zg 1€ S 
and Yo. Uiss o S Uk-1 € 5, we have 

k—1n-—1 k— — 

Y esl cts ras 

j=0 i=0 j=0 i=0 
where (ao, @1,°** ,@n—1,b) € C(S), which implies 


zo-bmibecbmka # godyid dy. 


Below we prove the sufficiency. Suppose S ¢ P5, ,, which means the inequal- 
ity system: 

n—1 
Y aix[i] > b,x € S; 
i=0 
n-1 = 12 
> aiyli] < by € S; oe 
i=0 


0 < ag € a1 S++) € às. 


has no solution. From (12). there must exist a subsystem containing k elements 


29,41,::: £y 1 € S and t elements yo, yi,::: ,Y+—1 € S such that the contra- 
diction 

k— — t—1n-—1 

TET <X ay] < tb 

j=0 i=0 j=0 i=0 
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arises, where k > t. Here we assume that k = t without a loss of generality. This 
is because: If k > t, we can choose another k — t elements y;,--- , yy 1 arbitrarily 
from $5, the inequality 


k—1n-—1 k—1mn-—1 
kb « a;z;[i] < 5 aiyjli] < kb 
j=0 i=0 j=0 i=0 
still holds. Note that 
n-1 k-1 k—1 
X aÒ yli- M zlil) > 0 
i=0 j=0 j=0 


always holds for all 0 < ag < a1 < -++ € an-1, we check gradually for i from 
n — 1 to 0 whether Xu zi = E y;[i] holds or not. If it is not, that is, 
x 2] < Sia y; [i], since S is an ordered set, thus one can always choose 
some smaller yj from S instead of some y; (Here we give preference to y; with 
yj[i] = 1 and yj;[i — 1] = 0, and y; = yj + ei + eii) such that it holds. It 
contradicts with the consistent condition of S. So S € P5 ,. 


4.4 Minimal and Maximal Element 


In the section we will discuss the minimal and maximal elements of ordered sets 
and their properties. 


Definition 16 (Minimal and Maximal Element). Let $ € IL, be an ordered 
set. For any x € S, x is called a minimal element if y € S such that y < x, 
and a maximal element if fy € S such that x < y. 


For a given ordered set S, denoted by Smin and Smax the set of all minimal 
elements and maximal elements in S respectively. Now we consider how to get a 
FLIIC J fast for a given set 5 € P} ,. Suppose (ao, a1, ::- , a4 1, b) € C(S), and 


denote 
n—1 


f(x) = Y azli]. (13) 
i=0 


A common method is to solve a group of linear inequalities with (n+1) variables 
and 2” inequalities, where f(x) > b for any x € S and f(x) < b for any z € S. 
Note that for any z,y € Z2, if r < y, then we have f(x) € f(y), that is, if 
f(x) > b and x < y, then f(y) > b always holds, and if f(y) < b and x x y, 
then f(a) « b always holds. Hence we only need to solve a simplified group of 
linear inequalities with (n+ 1) variables and (|Smin|-+|Smax|) inequalities, where 
f(z) > b for any £ € Smin and f(x) < b for any z € Smax. Algorithm [i] gives all 
details of getting a best FLIIC fast for a given set 5 € P5 +- 

Below we simplly discuss the upper bound of |Sinin| + |Smax|. Denote Mn = 
max{|Smax| | S € Hn}. Referring to the paper [Inc21], one can find that Mn 
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Algorithm 1 Get a best FLIIC i of S 
Input: A regular plain set $ € P5, 
Output: A FLIIC / with || 1 |/=|| S || 

1: Compute Smin and S us 

2: Construct the MILP model: 


n—1 
For all x € Smin, add constrains )> aiz[i] > b; 
i=0 
" uci 
For all z € Smax, add constrains > a;z[i] < b; 
i=0 
reels aAn-1 < b; 


— Add constrains 1 < ao < a1 € 
— Set Objective function : min b; 


3: Use Gurobi to solve the above problem and get a solution l; 
4: return l; 


is just the integer sequence A025591 and M,, — $2.1 + o(1)). Due to the 
n2 


symmetry, |Sinin| is also bounded by Mn. The values of M,, for n € 18 together 


with the their ratio to 2" are listed in Table|4| It is worth noting that lim 3M» = 
n—oo 


0, which shows the scale of the simplified inequalities is ignorable with respect to 
that of the original inequalities. Therefore Algorithm [I] can output a best FLIIC 
far faster than the common method for a given set 5 € P5 ,. 


Table 4. The upper bound of the size of Smaz (Smin) 


n 1 2 3 4 5 6 7 8 9 
Mn 1 1 2 2 3 5 8 14 23 
Per (96) | 50.00 | 25.00 | 25.00 | 12.50 | 9.38 | 7.81 | 6.25 | 5.47 | 4.49 


n 10 11 12 13 14 15 16 17 18 
Mn 40 70 124 221 397 | 722 | 1314 | 2410 | 4441 
Per (%) | 3.91 3.42 3.03 2.70 | 2.42 | 2.20 | 2.01 | 1.84 | 1.69 


For any x € Z5, denote 
succ(z) = {u € Z5|v < u}. 


The following conclusion shows that for any S € P5 ,, S can be determined 
uniquely by Smin, where we call Smin the minimal representation of S. Hence we 
will go through all possible minimal representations directly instead of S € P5 ,, 
which will be used to compute the bound of norms of all linear integer inequalities 
in Section 


Theorem 6 (Minimal Representation). Let S € P7 ,. Then we have 


S= U succ(x). (14) 


LES min 
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Proof: On the one hand, for any z € Smin, note that S is good by Theorem |5| 
thus succ(z) C S. So |) succ(a) C S holds. On the other hand, for Vs € S, 


te S min 
there exists an z € Smin such that x < s, thus s € succ(z). SoS C |)  succ(z). 
LESmin 
The conclusion follows. 
4.5 Norm and Its Bound 
Denote 
Bn = max{|| S || |S € Ph}. (15) 


In the section we will determine an upper bound of B, for a given integer n. 
The following theorem gives a bound of B,, in theory. Due to the limitation 
of the length of the paper, its proof will be shown in Appendix A. 


Theorem 7 (Bound Theorem of Norm). For any positive integer n > 2, 
we have Bn < 2?"n!. 


It can be seen that the above bound in theory is too big and not practical to 
solve a FLIIC of a given set S € P,,. Next we will give a tight bound for n < 8. 

A simple method is to go through all $ € P, and get the norm of each 
S. However, |P,,| is very big and it is hard to go through all plain sets in P. 
Actually, we find that a suitable subset of P,, is enough to determine Bn, which 
we will illustrate next. 


Lemma 5. Let0€ Se P, \ (9,Z2). Then || S ||x|| S ||. 


Proof: We prove it by contradiction. Assume that || S ||| S |, and take 
l: (a9,01,:** , a5 1,0) € C(S), where || J ||2|| S ||. Since 0 £ S, thus b > 0. Note 
that F 

l: (—do,—@1,°++ ,—an—-1;, —b + 1) € C(S) 
and |— b+ 1| 2 6 — 1 < b, we have 


l.S lit C EIE ISIS I; 


which leads to a contradiction. So || S ||x || S ||. 


Lemma 6. Let0g S c P. N(9,ZZ with type vector c. Then || S || || c® S ||. 


Proof: We prove it by contradiction. Assume that || S ||»|| c S ||, and take 
l: (a9,01,::* , a5 1,0) € C(c 8 S), where || J ||=|| c& S ||. Since c be the type 
vector of S, then 0 ¢ c9 S. Otherwise, we have c 6 S = Z2, which contradicts 
with S z Z5. Thus b > 0 and a; > 0 for all ?s. Note that l° : 


n—1 


((=1) Pao, (1) a1,- , (-1)9 7a, ,,5 — X dfi]a;) 


i=0 
€ C(S), we have 
I Sx rt gsx lees |. 


A contradiction. So || S ||<|| c& S ||. 
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Lemma 7. Let S € P, \ {, Z5} and o be a position permutation derived by 
the order of S. Then || S ||=|| a(S) ||, where o(S) = {a(a)|a € S}. 


Proof: For any l: (a9, @1,°++ ,a4 1,0) € C(S), we have 
a(l) : (a&(0); às (1) ** 5 o(m—1), 0) € C(a(S)). 


Thus || 4 |/=|| o(2) ||, which implies that || S ||=|| a(S) ||. 


By Lemmas [5] [6] and [7] we only need to focus on the bound of norms of all 
regular plain sets, that is, 


Theorem 8. For any positve integer n, we have By =|| P7, , ||, where 


| P}, + l= max{l S || |S € Pi}. 


Proof: The conclusion follows directly from Lemmas [5] [6] and [7] 

Since each regular plain set is a good set, thus we can go through all regular 
plain sets in P7, , fast by means of good sets, see Algorithm |2} Besides, by 
Theorem [6] we also go through all combinations of minimal representations to 
do it, but here we do not give more details due to the limit of the paper. 


Algorithm 2 FindGoodSets(S, t, S): Go through all good sets in ZZ 
Input: A positive integer n, the initial set $ = Ø, S = Ø and t = —1 
Output: All good sets S 
1: if S = Z3 then 
2: return ; 
: end if 
: if S is good then 

S¢+SuU{S}; 
end if 
: for each x in {x € S| > t{'|do 
Compute S 4+ SU {y € Slc < y}; 
Call FindGoodSets(S, x, S); 
: end for 


OO 0 A OUOU ee 


[mn 


After getting all good sets S, for each S € S, we call Algorithm [I] to get both 
its best FLIIC and norm. As results, B, (1 € n € 8) are listed in Table [5] 


5 Plain Closure of Sets 


5.1 Minimal Plain Closure 


In the section we mainly discuss plain closures of a given set S € IL,. When 
S Z Pn, we need more than one inequality to fully characterize it, each inequality 


^ Here we identify an n-bit string x and an integer x by means of the mapping x => 
n—1l 


Y: jiz. 


i=0 
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Table 5. The experimental results of Bn 


n 1 2 3 4 5 6 7 8 
Bn 1 2 3 5 9 18 40 105 


fully characterizes a plain set containing S. In another word, we need to expand 
S into different plain sets. The plain sets obtained by expanding S are called 
plain closures of S. 


Definition 17 (Plain Closure). Let S € IL, and S’ € Pn. S' is called a plain 
closure of S if SCS’. 


It is noticed that Z7 is a plain closure of all Ss, thus we call Z7 to be trivial. 
For any S € P4 V (Z2), we call S’ a non-trivial plain closure of S if S C S". 
At most time we are interested in some minimal plain closures of S, which are 
defined as below. 


Definition 18 (Minimal Plain Closure). Let S € IL, and S' be a plain 
closure of S. S' is minimal if AS” € Pn such that S C S" C S. 


A natural observation is that a FLIIC of S can be got by collecting the 
inequalities corresponding to its minimal plain closures. The following theorem 
guarantees this assertion. 


Theorem 9. For any S € IL, and L € C(S), there exists a FLIIC L’ of S such 
that |L| = |L/| and for each l' € L', l' is a minimal plain closure of S. 


Proof: Tf all l’s in L are minimal plain closures of S, then we take L’ = L. 
Otherwise, there exists an l € L such that l is not a minimal plain closure of S. 
By Definition [18] there exists a minimal plain closure l’ of S such that I’ C I. 
We replace J with // in L and get L’. Then L’ is also a FLUC of S due tol C V. 
For each non-minimal plain closure l, repeat the above procedure till all /s are 
minimal plain closures. The conclusion holds. 

For a given set S € IL,, below we will start from type vectors of its plain 
closures and give a deep-first search algorithm, which can output all minimal 
plain closures of S. 


Lemma 8. For a given set S € IL,, suppose S’ is a minimal plain closure of S 
with type vector c € Z3. If0Ec@S, then S = Z3. 


Proof: Suppose l: (ao, a1,::: , a4 1, 0) is a FLIIC of c ® S'. By the definition 
of type vector, it is known that a; > 0 for 0 < i < n — 1. Since 0 € cQ S, then 
b < 0, which implies that all z's belong to l, that is, | = Z7. By Theorem B] we 
have $' = cl = Z3. 

'The following theorem can be directly obtained by Lemma [8] 


Theorem 10. Let 5 € IL, and c € Z3. Then S has a non-trivial minimal plain 
closure with type vector c if and only if c € S. 
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For a given set S, by Theorem [10] we know that there are just |S| possible 
type vectors such that their corresponding minimal plain closures are non-trivial. 
For each non-trivial type vector c, since all coefficients of the FLIICs of minimal 
plain closures of c ® $ are non-negative, thus if e; € c ® S, then all z's with 
x[i] = 1 belong to c & S. We remove the i-th bit from all z's in c 6 S and get a 
lower dimensional set $ € Z371. If 


(a0, **.,01 1,044314 ** 4051, 5) (16) 
is a FLIIC of the minimal plain closure of $ , then 
(0n, *** 20135 b, Bg pp t8 a1 5) (17) 


is a FLIIC of the minimal plain closure of c @ S. In order to characterize the 
above property, we introduce the concept of secondary degeneration. 


Definition 19 (Secondary Degeneration). Let S € IT, and c € Z3. We call 
S be secondary degenerate relatively to c if e; € c S for some i. 


5.2 Algorithm to get all minimal plain closures 


For a given set S € IL, and a type vector c € S, Algorithm [8] adopts the depth- 
first search method and outputs all minimal plain closures of S with type vector 
c. Below we give a sketch of Algorithm [3| First we act a shift c on S and get 
S’ = c& S. Since all coefficients of the FLIICs of S’ are non-negative, we expand 
S’ by adding all elements in S’, into S' till S'; = Ø for all is and then deal 
with the degeneration cases. Next, we check whether S’ is an ordered set or not 
by the Order Theorem. If both T; ; V I5; and T}: V Ii; are non-empty for some 
i,j, we choose one of them and add it into S'. Repeat this process till S’ is an 
ordered set. Let ø be the position permutation derived by the order of S”. Denote 
S" = g(S"). Then we check the consistent condition in Definition [I5] repeatedly, 
then choose one of those y which leads to contradictions and add it into S" till 
S" is good. Finally, output cea 1 (S") as a minimal plain closure of S. It should 
be pointed out that the correctness of Algorithm [3] is based on Theorem [5] and 
in practice, we mainly use the case k < 4 to check the consistent condition and 
construct candidate minimal closures. In this way, all minimal plain closures can 
be obtained with great probability. Subsequently, further inspection are applied 
to confirm these sets are plain and the exact number of the minimal closures 
can be obtained. To improve the efficiency of the process for checking consistent 
condition, we take the advantage of minimal and maximal representations. In 
detail, take k = 2 for example, it is not necessary to exhaust all possible quartets 
to test the consistent condition, just checking z4-z' < y+y’ for all z,2' € Simin 
and all y, y' € Smax is enough. 


Remark 2 (The time complexity analysis of Algorithms [3). In Line 3, S is up- 
dated by computing S'; and merging it to S iteratively. It indeed adds all 
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Algorithm 3 Get all minimal plain closures of S with type vector c 


Input: A set S € IL, and c € S 
Output: All minimal plain closures of S 
1: Initialize M = Ø and S = 2; 
2: S = c9 S; 
3: Expand S' repeatedly by S’ + S'U S'; till S’; = Ø for all i's; 
4: Check the first and secondary degeneration condition for S’ and deal with the 
degeneration case; 
Initialize an empty stack ST and push S' into the stack; 
while ST' is non-empty do 
Pop the top element of ST, denoted by Stop; 
Compute I; j and I}; i of Stop; 
9: Collect all pairs (i, j) into f2 such that T; j £ Tj, and Tja € Dij; 
10: if N2 =Ø then 


11: S + Stop and guarantee all order sets are minimal; 

12: else 

13: Select a pair (i, j) from £2; 

14: Compute $1 = Stop U (ej e Ij; M 4) and So = Stop U (e; p DM) 
15: Push $1, S2 into ST; 

16: end if 


17: end while 

18: for each S € S do 

19: | Determine a position permutation o by S; 

20: Compute S + a(S); 

21: Compute Smin and KENE 

22: Check the consistent condition in Definition [I5]according to Smin and CH and 
collect all tuples (yo, y1,:* , yk—1) not satisfying the consistent condition into Y; 


23: if Y # Ø then 


24: Search all possible combinations Y such that for each tuple in Y, exactly one 
of y; belongs to Y; 

25: For each combination Y, do M + o^! (SU Y); 

26: end if 

27: end for 


28: Deal with the anti-degeneration operation for each S c M if the degeneration 
operation in Step 4 has been done; 

29: For each S € M, compute S + cà S; 

30: return M; 
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elements in S larger than some element S into S in the sense of weak orders. So 
at most |S| « |S] comparisons are needed, which is bounded by 2?^-?, 

'The loop from Line 6 to Line 17 aims to generate all order sets. To arrange 
n integers in order, at most O(n logn) comparisons are needed. Since each com- 
parison may have two results, the size of S is bounded by O(2"!°8”) = O(n2"). 
In practice our experiments show that it is far less than n2". During the gener- 
ation of each element in S, about 2nlogn I; j’s need to be calculated and up- 
dated at most n log n times. So the complexity of this loop is O(n2"(n log n)?) = 
O (n?2? log? n). 

The minimal (or maximal) representation of S can be calculated in |S,,;; ||S| 
(or |Smax||S|), and the check of the consistent condition takes at most 
(\Simin||Smax|)* when k < 4. According to experimental results, we find that both 
[Smin] and |S,,,4,| are less than 16 at the most time, and only a few out of one 
million good candidate sets do not satisfy the consistent condition with k < 4. 
Hence we take k — 4 in Step 22 and finally fix good candidate sets not satisfying 
the consistent condition in experiments. Then the total time complexity from 
Line 18 to Line 27 is about n2" x 165 zz n2"*3?, where we take |S| = n2". 

To summarize, the time complexity of Algorithm [B] is about n2"*?? when n 
is not too large. It should be mentioned that this upper bound is rarely reached 
in practice because we make lots of relaxation during the analysis. 


5.3 Comparison with Sun's and Sasaki and Todo's works 


In this section we will compare our method with Sun's |Sun21| and Sasaki and 
Todo's [Udo21]. Generally speaking, we study the relationship between sets, 
inequalities and inequality coefficients more systematically and more deeply, and 
present essential properties of plain sets, including type, sparsity, degeneration, 
order, minimal and maximal element, norm and its bound, etc, and a sufficient 
and necessary condition characterizing them, which makes our methods more 
perfect in both theory and implementation. 

First of all, though their works also introduced the concept of the order, their 
order does not take the influence of the inequality coefficients into consideration, 
and it is indeed a weak order. We synthesize the weak order and the natural 
order of inequality coefficients, and introduce the concept of strong order, which 
exposes the essential order property of a plain set and can narrow the space of 
candidate good sets in Algorithm[3] For more details on the comparison of order, 
readers can refer to subsection 

Secondly, as for the SuperBall Approach in |Sun21|, Sun's work starts from 
the shift to the points to be cut, and then introduces the concept of the order. 
Different from his technical route, we consider all shifts that cover the entire 
space and then rigorously prove only those centered on points to be cut are 
non-trivial. As for the construction of inequalities, his approach entirely relies 
on MILP solvers to solve the optimization problem. However, our method gets 
the plain closures directly by the sufficient and necessary condition of plain sets, 
and does not relies on any third-party tools. Thus our algorithm possesses higher 
efficiency and does with the S-box of larger dimensions. 
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Thirdly, their two works do not discuss the coefficient of the inequality. The 
coefficients of inequalities got by MILP tools are often large, but our method can 
control strictly the range of inequality coefficients. Although no one can assert 
the specific relationship between the size of coefficients and the efficiency of the 
MILP solvers, according to our experiments, smaller coefficients tend to speed 
up the solution. 

Finally, as for applications to the S-boxes used in block ciphers, our method 
can be suitable for S-boxes with higher dimensions. For example, for some S- 
boxes used in SKINNY128, MISTY-9 and DRYGASCON256, and so on, their 
methods can not be feasible but we can! What is more, we can get many bet- 
ter solutions than theirs, especially for the high-dimensional S-boxes. For more 
details, please see Tables [I] and [2] 


6 Applications 


6.1 S-boxes 


The description of finite set can be used to characterize the propagation rules of 
cryptographic components in many cryptanalysis. We revisit the original prob- 
lem: the characterization of the Differential Distribution Table (DDT, in short) 
in differential analysis. When turning to a bit-oriented block cipher, attackers 
need to take details of S-boxes into consideration. In an MILP model, modeling 
S-boxes means to characterize the propagations of differentials, this can be done 
by exploring the DDT of the S-box, which is a 2” x 2” table given by: 


DDT(a,b) = # {x € Z3 | S(x) S(x Ga) =b}, 


where a,b represent the input and output differential respectively. 

The truncated version of the DDT is denoted as *-DDT [AST*17], where 
all non-zero entries of the DDT are replaced by 1. Since probabilities of possible 
transitions are out of concern, modeling *-DDT is enough for our work to model 
a Boolean function: 


f: ex 
0, if DDT(z, y) — 0; (18) 
EDI (0,9) 


1, otherwise. 

If f(x,y) = 1, (x,y) is defined as a possible transition pattern (non-zero 
entries in the DDT), otherwise it is defined as an impossible transition pattern 
(zero entries in the DDT). The goal is to model possible propagation patterns and 
impossible propagation patterns of the DD'T of an S-box by linear constraints 
(i.e., linear inequalities). Then the problem becomes the description of a subset 
of Z2", i.e., finding a FLIIC for a given subset. We apply Algorithm |5| to the 
DDT of various S-boxes and get their best FLIICs. The results are summarized 
in Table [2] Algorithm [5] is implemented by calling Algorithm B] [S| times. Since 
there are at most 2" non-trivial types, then the time complexity is bounded by 
n29n*33. [n addition, our algorithm is parallel-friendly with respect to points in 
$. 
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Algorithm 4 Find all the minimal closures of a set S 
Input: A set S of all possible propagation patterns 
Output: All the minimal closures of S 

1: Initialize C — 2; 

2: for all c € S do 

3 C + All minimal plain closures of S with type vector c by calling Algorithm [3] 
4: end for 

5: return C; 


Algorithm 5 Get a best FLIIC of a set S 

Input: A set S of all possible propagation patterns 

Output: A best FLIIC L of S 

1: Initialize L = Ø; 
: Initialize C = 2; 
: C © All minimal plain closures of S by calling Algorithm [4] 
Get a best solution C by solving the set cover problem for C; 
for all C € C do 

L «A best FLIIC of C by calling Algorithm [I] 

end for 
return L; 


OO SIS QU Co BS 


6.2 Impossible Differential 


In this section we further apply our FLIIC solution on the DDT of the S-boxes 
to search the impossible differential trails of SPN ciphers. It is noticed that a 
systematic method to find all impossible differential trails for SPN block ciphers 
was provided in [HPW22]. Their idea is to partition the whole difference pair 
space into small disjoint sets, and a core step of their method is solving the 
MILP models. Since the search space is large, the whole process needs to solve 
a large amount of MILP models, and the overall search time depends on the 
solving efficiency of these models. We just replace the FLIIC solution of S-boxes 
in their models with the one generated by our algorithm and keep anything else 
unchanged. The experimental results are shown in the Table|[6.2] One can be seen 
that the new FLIIC solution provided by our algorithm can significantly improve 
the solving efficiency. Moreover, the larger the rounds, the more significant the 
effect. This is because the effect of a better FLIIC on the scale of the model 
is more pronounced for larger rounds. It is reasonable to believe that the best 
FLIIC will help to provide better cryptanalysis at many time. 
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Table 6. Comparison of the time of impossible differential trail searches on Skinny-64 


Round Prev. Time Ours Time quura 
11 16662 s 6901 s 41.496 
12 19742 s 6294 s 31.296 
13 26186 s 7041 s 26.996 


! Prev. Time: The total solving time using the FLIIC of Skinny-64's S-box provided 
in [HPW22], and the cardinality of their solution is 34; 

? Our Time: The total solving time using the FLIIC of Skinny-64’s S-box provided 
by our new algorithm, and the cardinality of our solution is 14. 
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Appendix A The Proof of Theorem 


Definition A.1. Suppose S is an n-dimensional Euclidean space. Denote v as 
a point in S and S' as a subspace of S which does not need to contain the origin. 
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If there is a point v' in S' such that Yai, az € S', (a1 — a2,u—v’) = 0, we say 
v' is the projection from v to S'. The distance from v to S' is defined as the 
Euclidean distance between v and v'. Morever, the uniqueness of the projection 


is easily to verified. 


Definition A.2. Suppose vı and v9 are two points in S, v and vi are their 
projections in a subspace S' respectively. The included angle of vı and v2 about 
S' is defined as the angle between vectors viv, and vva which is denoted as 
p(v1, v2). 

Lemma A.1. Suppose Sn is an n-dimensional Euclidean space, $4.3 and S7, 


are two different (n — 1)-dimensional subspaces of Sn, then S, 1(1 S75, is an 
(n — 2)-dimensional subspace of Sn. 


Proof: Since $4.1 Æ S5 ,, we have $4, 1U S7, , = Sn, then the dimension of 
their intersection can be calculated as below: 


dim(S, 1 N n-1) 


—dim(S, 4) + dim(S, 4) — dim(S,, 1 U Sea) 


=n — 2. 


Definition A.3. Suppose S, is an n-dimensional Euclidean space, Sn—ı and 
S, , are two different (n — 1)-dimensional subspaces of Sn. Denote S, 9 = 
S, 101 $7 , and ag as the origin of $45. Suppose {e1,€2,-++ ,en—2} is an or- 
thogonal basis of Sn—2, ey 1 and e, , are vectors added when S,..5 is extended 
to S4, and S7, , respectively. The included angle between Sn—ı and S7, , is de- 
fined as min{ p(e€n—-1, e, 4), — p(en—1, €, 4)], where p(^,-) is the angle between 
two vectors. 


Remark 1. For every o1 € Sn-1\Sn-2 and az € S7, 1S5», the included angle 
of o4 and az about Sn-—2 is either equal or complementary to the included angle 
between Sn—ı and S7 ,. It is because that oo4 and a$02 are either in the same 
direction with egy 1 and e4. 4 or the contrary, where a‘, and o^ are the projection 
of a; and ag in S,_2 respectively. 


Definition A.4. Suppose Sn is an n-dimensional Euclidean space, Sn—ı is an 
(n — 1)-dimensional subspace of Sn and S,» is an (n —2)-dimensional subspace 
of S41. Denote the origin of Sn—2 as ao and {€1,€2,--- ,en—2} as an orthogonal 
basis of S4, 9. The rotation of Sn—ı about S,_2 in S, is defined as a matriz 
under the orthogonal basis (e3,e9, -` en] of Sn: 


cos(B) sin(B) 
—sin(B) cos(B) 
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, where B € [—1,7]. Use S7, , to denote R(B)Ss 1, then S; , is also an (n — 
1)-dimensional subspace of S, and [ei,e3,:::,en-2, COSben—1 - sinBen} is an 
orthogonal basis of S7, ,. 


Remark 2. B in Definition [A4] can be viewed as the angle in Definition [A.3] 


Proof: Denote v = x1€1 + 1262 + +--+ Znen which can also be written as 
(z1,22,::: ,24)7. Suppose v’ = R(8)v, then the projection from v and v’ to 
Sn—2 is v" = £161 + 2362 +++: + Z4 260-2. Since vv = (0,0,--- 24 1, En)? 
and v"v' = R(8)(0,0,--- 2, 1, 24)? , it is easy to check that the angle between 
these two vectors is 8. 


Remark 3. The rotation in Definition [A-4]is ergodic. 


Proof: For any 7 € Sn, there exist a € $4 1, B € [0,27] such that R(8)a = y. 
Denote y = £1€1 + ©2€2 +--+: + Enen and a = zi4e1 + 2262 +--+ + Lpn—2en—2 + 


x ER a + z2en-1. The final conclusion can be obtained from the properties of 


the 2-dimensional plane rotation. 


Definition A.5. Suppose S, is an n-dimensional Euclidean space and S,..4 is 
an (n — 1)-dimensional subspace of Sn, which is also known as the hyperplane. 
Sn is divided into two disjoint parts according to S4 1. We say a, B are on the 
different sides of $4 1 if and only if 3y € S, 4,t € (0,1), s.t. y = ta+ (1— t)B. 


Remark 4. Suppose S is a subspace of Sn, for any a, B € Sn, the line connecting 
a and f is either in S or has at most one intersection with S. 


Lemma A.2. Suppose Sy is a k-dimensional Euclidean space, Sy..1 and Sk—2 
are subspaces of Sk whose dimension are k — 1 and k — 2 respectively. Sy. is 
divided into two disjoint parts A and B according to Sy 3. Denote the resulting 
subspace as S, , after conducting a rotation in Definition [4.4] on Sy. 4, then 
A and B are on different sides of S; i If there exist two points a, and az on 
different sides of Sk—ı, such that the rotation R(B) doesn't meet that two points, 
then B >0 (B <0) if oa (az) is on the same side as A. 


Proof: According to Definition [A.5] Va € A, b € B, dt € (0,1), c € Sy», 
s.t. c = ta + (1—t)b. Since Sk-2 C Si, ,, € E S, ,, then a and b are on different 
sides of S; ,. The first part of conclusion follows from the arbitrariness of a and 
b. 

As for the second part, without loss of generality, we can assume that o is 
on the same side as A after a rotation R(8), where 8 > 0. Choose a € A which 
has the same projection p on $5.9 with o4, the line crossing o, and a intersects 
R(B)Sy ., at the point c and intersects R(—y)Sp—1 at the point c', where y > 0, 
we only need to prove that if c = tia + (1 — t4)b, c' = t2a + (1 — t2)b, ty € (0,1) 
then tz € (0, 1). Consider the plane determined by a, o4 and p, since 


R(B)Sk-1 = R(8 + y) R(-Y)Sx—1; 


we can get Zapc = B, Zapc! = y, Zcpc’ = B+7 by Remark] then the conclusion 
can be obtained according to the knowledge in plane geometry. 
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Definition A.6. Suppose Sn is an n-dimensional Euclidean space with an ori- 
gin and an orthogonal basis, a point in Sn is called a lattice if and only if each of 
its coordinate component is either 0 or 1; a point in S,, is called a quarter-lattice 

if and only if its coordinate components only take values from {0, i i. 3, 1}. 
Definition A.7. Suppose Sn is an n-dimensional Euclidean space, a k-dimensional 
subspace Sp is called a lattice-subspace(quarter-lattice-subspace), if and only if it 
can be determined by k + 1 lattices(quarter-lattices) {ap,a1,--- , ar}, ie., 


{a001, 0/902; :: - , ADA} 
are linearly independent as vectors. 


Lemma A.3. Suppose Sn is an n-dimensional Euclidean space with an origin 
and an orthogonal basis. Denote S, as a k-dimensional subspace of S, whose 
lattices are divided two parts denoted as A and B by a (k — 1)-dimensional 
subspace Sy. 4. Then Sk—ı can be mapped to a lattice-subspace S, , by some 
rotations in Definition [A.4] without across amy lattice. 


Proof: Denote the set of all lattices in S,_1 as To, define rank(To) to be the 
dimension of subspace Vo which is determined by Tọ. It is clearly that 0 < 
rank(To) € k — 1, and we can extend To according to the following operations: 


1. While rank(To) < k — 1 

2. Choose a (k — 2)-dimensional subspace Vj of S; which contains Vo; 

3. For every lattice a ¢ To, denote Va as the subspace which are determined by 
Vj and a, then calculate the included angle between Vy and Sķ—1. Denote 
8 as the smallest of these angles, let 8 correspond to lattice a’, perform 
a rotation on Sy, about Vj in S; with angle 8' = 8 or —8 such that 
o! € R(B')Sy . 

4. Sy 4,—R(8')Sy 3; 

5. To={lattices in S, 1). 


Since rank(To) < k — 1, we can always find a lattice a ¢ To and then extend 
To according to a. The program terminates only if rank(To) = k — 1. Moreover, 
these operations will never across any lattice since the rotation angle is the 
smallest of all the lattices. 


Lemma A.4. Suppose Sn is an n-dimensional Euclidean space with an origin 

and an orthogonal basis. Denote S, as a k-dimensional subspace of S, whose 

lattices are divided two parts denoted as A and B by a (k — 1)-dimensional 

subspace Sy 1. Then there exists a (k — 1)-dimensional quarter-lattice-subspace 
t1 which divides all lattices in Sy into two parts A and B. 


Proof: We fix n and prove the result by induction on k. The conclusion obviously 
holds when k = 2. Assume that the result holds when k < m — 1. 

Suppose k = m, then we have an (m — 1)-dimensional subspace $,, 1 of Sm 
which divides all lattices in Sm into A and B. By Lemma ([ÀA.3] it can be mapped 
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to a lattice-subspace S7, ,. All lattices in Sm are divided into three parts A’, 
B' and C" where AC A, B! C B,C’ C S!_,. If C = Ø, then S7, , is exactly 
what we want. Otherwise, if C” Z Ø, consider $4, 9 = S4, 1(15,, , which isa 
(m — 2)-dimensional subspace of S7, , according to Lemma Then all lattices 
in $5, , are divided into two parts A" and B” by S,,-2, where A" C A, B" C B. 
By induction assumption, there exists an (m — 2)-dimensional quarter-lattice- 
subspace S5, 9 which divides all lattices in $75, , into A” and B". For every 
lattice a € S7, ,, calculate the included angle between V, and S7, ,, where Va 
is determined by 57, J and a, every a corresponds to an angle 8 and a rotation 
R(B) or R(—). Then we choose R(81) and R(— £82) among all of these rotations 
such that their absolute values are the smallest in the two classes respectively. 

By Lemma [A.2] A" and B" will be separated by the rotation R(8), and we 
can choose 8; or —f such that A" is on the same side as A’. Without loss 
of generality, assume that R(81) is selected where £1 corresponds to lattice a’. 
Consider lattice-subspace $7, , which is determined by m lattices: 


{Q0, Q1,°"° ,Qm-1}, 


choose a lattice a; € $7, VS, 2; then S7, , can also be determined by a; and 

7,3. Denote the quadrisection of aja’ as (al, o?, a3}, according to Remark [4] 
aia has at most one intersection with S7, 4. So we can choose o? such that 
S^, 9 and o? can determine an (m — 1)-dimensional quarter-lattice-subspace 
of Sm. Now it only needs to check whether p(o;,o07) < p(aj,a’) holds. Since 
a, 6? , o/ are collinear, their projections on S^, , are collinear, then the question 


is transformed to a 3-dimensional geometry question which is obviously right. 


Theorem A.1. Suppose S, is an n-dimensional Euclidean space with an origin 
and an orthogonal basis, Sn—ı is a hyperplane which divides lattices in Sn into 
two parts A and B. Then there exists another hyperplane S7, , which can be 
denoted as kem aixi = d, ai, d € Z, and S; , also divides lattices in Sn into 
A and B and maz(|a;|, |d|} < 2?"n!. 


Proof: By pr there exists a quarter-lattice-subspace S7, , which di- 
vides all lattices in S, into A and B. S7, , is determined by (01,02,::: ,an} 
where a; is a quarter-lattice for 1 < i < n, plug a; into S7, 4, $5; ,aivi = d, 
we get 


Denote M = (a1 a5 +++ +++ an). Then (a, ag +++ +: an)= (dd> d) M^! 
Since a; is a quarter-lattice, we have 4M € M,(Z) and M ! — 1/4"(4M) !. 
Then 


(a ag sess dn) 
1 -iü 

= (d | Doers d) 4; 4M) 

= (d | ee d) vus My. 
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Since 0 < 4m; j X 4, one can easily check that |4M| < 4" x n!. Similarly, for 
every m; ; € (4M)*, we can get |m;;| < 4"! x (n — 1)!. 

Let d = 4"|4M| < 4?"nl, then (ai a2: --- aj)— (lle 1) (4M)*. 
Hence a; < n x 4"^! x (n — 1)! < 2?"n! holds for 1 € i € n. 
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